Cisco Acs 5x User Guide
Have a look at the manual Cisco Acs 5x User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
13-77 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 13 Managing Reports Understanding Charts Changing Chart Subtype charts have subtypes, which you can change as needed: Bar chart—Side-by-Side, Stacked, Percent Stacked Line chart—Overlay, Stacked, Percent Stacked Area chart—Overlay, Stacked, Percent Stacked Meter chart—Standard, Superimposed Stock chart—Candlestick, Bar Stick Many chart types offer two-dimensional subtypes, in which the chart shape appears flat against the chart background. Some charts also can be displayed with depth. A chart with depth appears to have added dimension. To do this: Step 1Right-clicking the chart whose subtype you want to modify. Step 2Select Chart Subtype. The Chart Subtype dialog box appears. Step 3Select the desired chart subtype. Changing Chart Formatting Some of the formatting for a chart, such as the colors of the bars in a bar chart and the background color of the chart, comes from the report template or the theme. When viewing the report you can modify other items of the chart’s format, including the fonts and font sizes of the chart title and axis labels, and the height and width of the chart. You can hide axis labels, place labels at an angle relative to the axis, and hide the legend or determine where to display the legend in relation to the chart. You can modify other aspects of the chart’s appearance by right-clicking the chart and choosing Format. In the dialog box that appears, choose the desired formatting properties. To modify other aspects of the chart’s appearance, use Format Chart, shown in Figure 13-50.
13-78 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 13 Managing Reports Understanding Charts Figure 13-50 Chart Formatting Options You use this page to: Edit and format the default chart title. Edit and format the default title for the category, or x-, axis. Modify settings for the labels on the x-axis. You can: –Indicate whether to display x-axis labels. –Indicate whether to rotate x-axis labels and set the degree of rotation. –Indicate whether to stagger x-axis labels. For example, you can show data points for every third month, every ten days, every other year, and so on. –Set the interval for staggered x-axis labels. Edit and format the default title for the y-axis, if the chart uses a y-axis. Set the chart’s height and width. Select the dimension. The options are 2-dimensional and 2-dimensional with depth. Indicate whether to flip, or reverse, the chart’s x- and y-axes. Indicate whether to show a legend, and if so, whether to place it above the chart, below the chart, or to the left or right of the chart.
CH A P T E R 14-1 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 14 Troubleshooting ACS with the Monitoring & Report Viewer This chapter describes the diagnostic and troubleshooting tools that the Monitoring & Report Viewer provides for the Cisco Secure Access Control System. This chapter contains the following sections: Available Diagnostic and Troubleshooting Tools, page 14-1 Performing Connectivity Tests, page 14-3 Downloading ACS Support Bundles for Diagnostic Information, page 14-4 Working with Expert Troubleshooter, page 14-5 Available Diagnostic and Troubleshooting Tools The Monitoring & Report Viewer provides the following: Connectivity Tests, page 14-1 ACS Support Bundle, page 14-1 Expert Troubleshooter, page 14-2 Connectivity Tests When you have authentication problems, you can perform a connectivity test to check for connectivity issues. You can enter the hostname or the IP address of the network device that you are trying to connect with and execute the following commands from the web interface: ping, traceroute, and nslookup. The Monitoring & Report Viewer displays the output of these commands. See Performing Connectivity Tests, page 14-3 for detailed instructions on how to perform the connectivity tests. ACS Support Bundle You can use the ACS support bundle to prepare diagnostic information for TAC to troubleshoot problems with ACS.
14-2 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 14 Troubleshooting ACS with the Monitoring & Report Viewer Available Diagnostic and Troubleshooting Tools Support bundles typically contain the ACS database, log files, core files, and Monitoring & Report Viewer support files. You can exclude certain files from the support bundle, per ACS node. You can download the support bundle to your local computer. The browser (depending on its configuration) displays the progress of the download and prompts you to save the support bundle to an appropriate location. If the ACS server is a primary instance, the support bundle includes an export of the ACS configuration. If the ACS server is a secondary instance, the ACS database is not included. If the ACS server is a log collector, the support bundle includes an export of the monitoring and report configuration and collected AAA audit and diagnostic logs. If the ACS server is not the log collector, the monitoring and reporting configuration is not included in the support bundle. See Downloading ACS Support Bundles for Diagnostic Information, page 14-4 for detailed instructions on how to download ACS support bundles. Expert Troubleshooter Expert Troubleshooter is an easy-to-use, web-based troubleshooting utility that helps you diagnose and troubleshoot problems in ACS deployments. It reduces the time that you take to diagnose the problem and provides you detailed instructions on how to resolve the problem. You can use Expert Troubleshooter to diagnose and troubleshoot passed and failed authentications. For example, if a user is unable to gain access to the network, you can use the Expert Troubleshooter to diagnose the cause of this problem. Expert Troubleshooter provides you the option to run show commands on any network device from the ACS web interface. The output of the show command is returned to you in precisely the same manner as the output appears on a console. You can use Expert Troubleshooter to evaluate the configuration of any network device to see if there are any discrepancies that cause the problem. In addition, Expert Troubleshooter provides you four diagnostic tools for troubleshooting Security Group Access device-related problems. The Expert Troubleshooter identifies the cause of the problem and lists an appropriate course of action that you can take to resolve the problem. See Working with Expert Troubleshooter, page 14-5 for more information on the various tools that Expert Troubleshooter offers. Table 14-1 describes the diagnostic tools that ACS 5.3 offers: Table 14-1 Expert Troubleshooter - Diagnostic Tools Diagnostic Tool Description RADIUS Authentication Troubleshooting Troubleshoots a RADIUS authentication. See Troubleshooting RADIUS Authentications, page 14-6 for more information. Execute Network Device Command Executes any show command on a network device. See Executing the Show Command on a Network Device, page 14-9 for more information. Evaluate Configuration Validator Evaluates the configuration of a network device. See Evaluating the Configuration of a Network Device, page 14-10 for more information.
14-3 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 14 Troubleshooting ACS with the Monitoring & Report Viewer Performing Connectivity Tests Performing Connectivity Tests You can test your connectivity to a network device with the device’s hostname or IP address. For example, you can verify your connection to an identity store by performing a connectivity test. To test connectivity between your ACS and a device’s hostname or IP address: Step 1Select Monitoring and Reports > Troubleshooting > Connectivity Tests. The Connectivity Tests page appears as described in Table 14-2: Step 2Modify the fields in the Connectivity Tests page as required. Step 3Click ping, traceroute, or nslookup, depending upon your test. The output of the ping, traceroute, or nslookup command appears. Trust Sec Tools Egress (SGACL) Policy Compares the Egress Policy (SGACL) between a network device and ACS. See Comparing SGACL Policy Between a Network Device and ACS, page 14-11 for more information. SXP-IP Mappings Compares SXP mappings between a device and peers. See Comparing the SXP-IP Mappings Between a Device and its Peers, page 14-12 for more information. IP User SGT Compares IP-SGTs on a device with ACS authentication-assigned User-IP-SGT records. See Comparing IP-SGT Pairs on a Device with ACS-Assigned SGT Records, page 14-14 for more information. Device SGT Compares device SGT with ACS-assigned SGT. See Comparing Device SGT with ACS-Assigned Device SGT, page 14-15 for more information. Table 14-1 Expert Troubleshooter - Diagnostic Tools (continued) Diagnostic Tool Description Table 14-2 Connectivity Tests Option Description Hostname or IP Address Enter the hostname or IP address of a connection you want to test. Click Clear to clear the hostname or IP address that you have entered. ping Click to see the ping command output, where you can view the packets sent and received, packet loss (if any) and the time for the test to complete. traceroute Click to see the traceroute command output, where you can view the intermediary IP addresses (hops) between your ACS and the tested hostname or IP address, and the time for each hop to complete. nslookup Click to see the nslookup command output, where you can see the server and IP address of your tested domain name server hostname or IP address.
14-4 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 14 Troubleshooting ACS with the Monitoring & Report Viewer Downloading ACS Support Bundles for Diagnostic Information Related Topics Available Diagnostic and Troubleshooting Tools, page 14-1 Connectivity Tests, page 14-1 ACS Support Bundle, page 14-1 Expert Troubleshooter, page 14-2 Downloading ACS Support Bundles for Diagnostic Information To create and download an ACS support bundle: Step 1Select Monitoring and Reports > Troubleshooting > ACS Support Bundle. The ACS Support Bundle page appears with the fields described in Table 14-3: Step 2Choose a server and click Get Support Bundle. The Download Parameters for the Server page appears. You can create and download an ACS support bundle for the associated ACS node instance. Step 3Select the download options you want to incorporate in your ACS support .tar.gz file. Downloading a support bundle can be slow if the size of the file is extremely large. For faster downloads, do not include core files and View support files in the support bundle. The options are: Encrypt Support Bundle—Check this box to encrypt the support bundle. Specify the decrypting password in Passphrase and confirm the password in Confirm Passphrase. Include full configuration database—Check this box to have the whole database included in the support bundle. If this option in not checked, only a subset of the database is included in the support bundle. Click Include sensitive information or Exclude sensitive information to include or exclude sensitive information in the logs. Sensitive information consists of passwords in the encrypted format, ACS configuration data, and so on. Include debug logs—Check this check box to include debug logs, then click All, or click Recent and enter a value from 1 to 999 in the file(s) field to specify which debug logs to include. Include local logs—Check this check box to include local logs, then click All, or click Recent and enter a value from 1 to 999 in the file(s) field to specify which debug logs to include. Table 14-3 ACS Support Bundle Page Option Description Server Name of an ACS node instance. Click to display the Download Parameters for the Server page, to create and download an ACS support bundle for the ACS node instance. IP AddressDisplay only. Indicates the IP address of an associated ACS node. Node DesignationDisplay only. Indicates the primary or secondary instance of an associated ACS node.
14-5 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 14 Troubleshooting ACS with the Monitoring & Report Viewer Working with Expert Troubleshooter Include core files—Check this check box to include core files, then click All or click Include files from the last and enter a value from 1 to 365 in the day(s) field. Include monitoring and reporting logs—Check this check box to include monitoring and reporting logs, then click All or click Include files from the last and enter a value from 1 to 365 in the day(s) field. Specify which monitoring and reporting logs to include: –AAA Audit –AAA Diagnostics –System Diagnostics –AAA Accounting –Administrative and Operational Audit Include system logs—Check the check box to include system logs, then click All or Recent and enter a value from 1 to 999 in the file(s) field. You can enter a description in the Description field, if you need. Step 4Click: Download to download the support bundle with the options you specified. The support bundle is created and downloaded. Restore Defaults to clear the changes you made and return to the default settings. NoteACS does not pick up the core files while creating or downloading the support bundle for the associated ACS node instance by default. If you want to include the core files in the support bundle, you can check the Include core files check box. You can check the Encrypt Support Bundle checkbox to encrypt the support bundle in ACS. It will ensure that the core files are encrypted and included in the supported bundle. Related Topics Available Diagnostic and Troubleshooting Tools, page 14-1 Connectivity Tests, page 14-1 ACS Support Bundle, page 14-1 Expert Troubleshooter, page 14-2 Working with Expert Troubleshooter The following sections describe how to use the Expert Troubleshooter diagnostic tools: Troubleshooting RADIUS Authentications, page 14-6 Executing the Show Command on a Network Device, page 14-9 Evaluating the Configuration of a Network Device, page 14-10 Comparing SGACL Policy Between a Network Device and ACS, page 14-11 Comparing the SXP-IP Mappings Between a Device and its Peers, page 14-12
14-6 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 14 Troubleshooting ACS with the Monitoring & Report Viewer Working with Expert Troubleshooter Comparing IP-SGT Pairs on a Device with ACS-Assigned SGT Records, page 14-14 Comparing Device SGT with ACS-Assigned Device SGT, page 14-15 Related Topics Available Diagnostic and Troubleshooting Tools, page 14-1 Connectivity Tests, page 14-1 ACS Support Bundle, page 14-1 Expert Troubleshooter, page 14-2 Troubleshooting RADIUS Authentications Use the RADIUS Authentication diagnostic tool to troubleshoot issues with RADIUS authentications. To do this, you must: Step 1Choose Monitoring and Reports > Troubleshooting > Expert Troubleshooter. The Expert Troubleshooter page appears. Step 2Select RADIUS Authentication Troubleshooting from the list of troubleshooting tools. The RADIUS Authentication Troubleshooter page appears. Step 3Modify the fields as shown in Table 14-4 to filter the RADIUS authentications that you want to troubleshoot. Table 14-4 RADIUS Authentication Troubleshooter Page Option Description Search and select a RADIUS authentication for troubleshooting Username Enter the username of the user whose authentication you want to troubleshoot, or click Select to choose the username from a list. Click Clear to clear the username. MAC Address Enter the MAC address of the device that you want to troubleshoot, or click Select to choose the MAC address from a list. Click Clear to clear the MAC address. Audit Session ID Enter the audit session ID that you want to troubleshoot. Click Clear to clear the audit session ID. NAS IP Enter the NAS IP address or click Select to choose the NAS IP address from a list. Click Clear to clear the NAS IP address. NAS Port Enter the NAS port number or click Select to choose a NAS port number from a list. Click Clear to clear the NAS port number. Authentication Status Choose the status of your RADIUS authentication from the Authentication Status drop-down list box. The available options are: Pass or Fail Pass Fail Failure Reason Enter the failure reason or click Select to choose a failure reason from a list. Click Clear to clear the failure reason.
14-7 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 14 Troubleshooting ACS with the Monitoring & Report Viewer Working with Expert Troubleshooter Step 4Click Search to display the RADIUS authentications that match your search criteria. The Search Result table is populated with the results of your search. The following fields appear in the table: Time, Status, Username, MAC Address, Audit Session ID, Network Device IP, Failure Reason, and Access Service. Step 5Choose the RADIUS authentication record from this table that you want to troubleshoot, and click Troubleshoot. The Expert Troubleshooter begins to troubleshoot your RADIUS authentication. The Monitoring & Report Viewer prompts you for additional input, if required. For example, if the Expert Troubleshooter must connect to a network device, it prompts you for connection parameters and login credentials. Step 6Click the User Input Required button and modify the fields as described in Table 14-5. Step 7Click Submit. The Progress Details page appears. This page provides a summary and might prompt you for additional input, if required. If the Monitoring & Report Viewer requires additional input, you must click the Click User Input Required button. A dialog box appears. Modify the fields in the dialog box as described in Table 14-5 and click Submit. Time Range Define a time range from the Time Range drop-down list box. The Monitoring & Report Viewer fetches the RADIUS authentication records that are created during this time range. The available options are: Last hour Last 12 hours Today Ye s t e r d a y Last 7 days Last 30 days Custom Start Date-Time (Only if you choose Custom Time Range) Enter the start date and time, or click the calendar icon to select the start date and time. The date should be in the mm/dd/yyyy format and time in the hh:mm format. End Date-Time (Only if you choose Custom Time Range) Enter the end date and time, or click the calendar icon to select the end date and time. The date should be in the mm/dd/yyyy format and time in the hh:mm format. Fetch Number of Records Choose the number of records that you want the Monitoring & Report Viewer to fetch at a time from the Fetch Number of Records drop-down list. The available options are 10, 20, 50, 100, 200, and 500. Table 14-4 RADIUS Authentication Troubleshooter Page (continued) Option Description
14-8 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 14 Troubleshooting ACS with the Monitoring & Report Viewer Working with Expert Troubleshooter Step 8Click Done to return to the Expert Troubleshooter. The Progress Details page refreshes periodically to display the tasks that are performed as troubleshooting progresses. After the troubleshooting is complete, the Show Results Summary button appears. Step 9Click Show Results Summary. The Results Summary page appears with the information described in Table 14-6. Table 14-5 Progress Details Page - User Input Dialog Box Option Description Specify Connection Parameters for Network Device a.b.c.d Username Enter the username for logging in to the network device. Password Enter the password. Protocol Choose the protocol from the Protocol drop-down list. Valid options are: Te l n e t SSHv2 Telnet is the default option. If you choose SSHv2, you must ensure that SSH connections are enabled on the network device. Port Enter the port number. Enable Password Enter the enable password. Same As Login Password Check this check box if the enable password is the same as the login password. Use Console Server Check this check box to use the console server. Console IP Address (Only if you check the Use Console Server check box) Enter the console IP address. Advanced (Use these if you see an “Expect timeout error” or you know that the device has non-standard prompt strings) The Advanced options appear only for some of the troubleshooting tools. Username Expect String Enter the string that the network device uses to prompt for username; for example, Username:, Login:, and so on. Password Expect String Enter the string that the network device uses to prompt for password; for example, Password:. Prompt Expect String Enter the prompt that the network device uses. For example, #, >, and @. Authentication Failure Expect StringEnter the string that the network device returns when there is an authentication failure; for example, Incorrect password, Login invalid, and so on.